Guest - Testers are needed for the reworked CDateTime core component. See... https://forum.kodi.tv/showthread.php?tid=378981 (September 29) x
FTPS and (Let's Encrypt - Free SSL/TLS Certificates)
Doktor-X
Senior Member
Posts: 239
#1
2020-09-01, 21:28
Hello i cant get certs from Let's Encrypt to work, ftp server is filezilla and its running on Windows 10 Pro certs are ok since i use them for website and are working just fine i have full log for devs to try and help if can, log is from coreelec build running on my s912 tv box but same error i get when i try to use latest windows 64bit nightly runing on windows pc

https://paste.kodi.tv/qebokaziqo.kodi
Find
Reply
asavah
Posting Freak
Posts: 1,010
#2
2020-09-01, 21:50
What certficate file is configured in filezilla?
cert.pem chain.pem fullchain.pem? Try fullchain.pem .
And of course the hostname you are connecting to should match the certificate.
Find
Reply
Doktor-X
Senior Member
Posts: 239
#3
2020-09-01, 21:59
after generating cert on zerossl.com i have downloaded zip with certs and inside of this zip is certificate.crt and certificate.key, so normal stuf nothing special. All this was working fine prior to last 2 or 3 90day renew's and now i have this strange problem

Image
Find
Reply
asavah
Posting Freak
Posts: 1,010
#4
2020-09-01, 23:56
if it was working "prior to last 2 or 3 90day renew's"  one might think that something has changed in zerossl certficate chain.

The actual error is:
Code:
2020-09-01 20:58:03.268 T:4090958416 DEBUG: Curl::Debug - TEXT: TLSv1.2 (OUT), TLS alert, unknown CA (560):
2020-09-01 20:58:03.269 T:4090958416 DEBUG: Curl::Debug - TEXT: SSL certificate problem: unable to get local issuer certificate

And btw zerossl is NOT letsencrypt as your thread title states.

Edit2:
you need to concatenate ca_bundle.crt and certificate.crt into one file eg. full.crt to create a proper trust chain and point filezilla to use that file instead of just certificate.crt.

Edit:
Code:
2020-09-01 20:58:03.191 T:4090958416 DEBUG: Curl::Debug - TEXT: CAfile: /run/libreelec/cacert.pem

This file might need an update, ask your OS developers on their forum.
Find
Reply
wsnipex
Team-Kodi
Posts: 7,658
#5
2020-09-02, 09:43
a proper CA should provide you with a trust chain file. Either in the server.pem or an extra file.
Team XBMC stable PPA -- Team XBMC unstable PPA -- Team XBMC nightly PPA
DEBUG log
Find
Reply
Doktor-X
Senior Member
Posts: 239
#6
2020-09-02, 20:37
I have reissued certs and this time using certbot for windows client and not zerossl.com web client, and after adding generated .pem cert and key to filezilla i can access to server, but i cant access content inside of folders if i dont uncheck "Require TLS session resumption on data connection when using PROT P". Prior to all of that i think that in filezill that prot p option was selected but i gess when zerossl started to give out cert with ther name and not lets encrypt's like before something changed and broke my setup
Find
Reply

Home
Search
Help
Logout Mark Read Team Forum Stats Members Help
FTPS and (Let's Encrypt - Free SSL/TLS Certificates)0